Turla APT upgrades attack arsenal to evade malware detectors

Russia-linked Turla hacking group has developed new fileless malware to evade detection software

Turla, a hacking group believed to be Russian-based, with a history of targeting global governments and militaries, has improved its attack technique by adding new features to duck detection software, reported Kaspersky Lab. Researchers there have been probing the methods used in Turla attacks oned government and diplomatic groups.

"2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools," said the research report.

According to the report, Turla has revamped its toolset by wrapping its JavaScript KopiLuwak malware in a new dropper called Topinambour to create two similar versions in different languages.

"The purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a ‘fileless’ module chain on the victim’s computer consisting of an initial small runner and several Windows system registry values containing the encrypted remote administration tool," the report said.

"The tool does all that a typical Trojan needs to accomplish: upload, download and execute files, fingerprint target systems. The PowerShell version of the Trojan also has the ability to get screenshots," it added.

"While it appears to be simple, the ability to receive and execute external shell commands allows the attacker to execute additional executables, check network information and run a variety of other commands in their own time," he explained.

The hacker group’s past exploits were famous. "Their infection techniques included 'watering hole attacks', advanced spear-phishing attacks delivered via email and social engineering. Typically, it would target government departments in the EU and the Middle East," said Rashti.

The attacker group rose to fame in 2014, when a six-year-long cyber-espionage campaign targeting the governments and embassies of several former Eastern Bloc countries came to light.

"Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long-term monitoring operations using Trojan.Turla (which is known by other vendors as Uroboros, Snake, and Carbon)," Symantec wrote about the attack at the time.

"It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks," it added.

Security researchers and intelligence officers in the West were quick to point out that the malware was linked to the same software that was used in a massive US military data breach that was uncovered in 2008. It was also connected to an earlier global cyber- spying campaign named Red October, which targeted military, diplomatic and nuclear research networks, reported Reuters.

"For employees working in government or other sensitive roles who may be targets of such groups, appropriate security awareness training is vital to prevent them falling victim to watering hole, phishing, or other social engineering attacks," said Javvad Malik, security awareness advocate at KnowBe4.

"In addition, companies need to have robust, reliable, and up to date threat intelligence capabilities so that indicators of compromise from threat actors can be readily identified and responded to," he added.

"The NCSC encourages any organisation that has previously experienced a compromise by the Turla group to be diligent in checking for the presence of these additional tools. Whilst they are commonly deployed alongside the Snake rootkit, these tools can also be operated independently," said the guidance on the group issued by the government’s cyber-security experts.